CVE-2026-34999

Name of the Vulnerable Software and Affected Versions OpenViking versions 0.2.5 through 0.2.13

Description OpenViking versions 0.2.5 through 0.2.13 have a missing authentication check in the bot proxy router. This allows remote, unauthenticated attackers to access protected bot proxy functionality by sending requests to the 'POST /bot/v1/chat' and 'POST /bot/v1/chat/stream' API endpoints. Attackers can bypass authentication and interact directly with the upstream bot backend through the OpenViking proxy without valid credentials.

Recommendations Update to version 0.2.14 or later.